{
	"id": "3ed5d4a1-b138-42c1-8ef3-351a595c12fe",
	"created_at": "2026-04-06T00:21:10.813984Z",
	"updated_at": "2026-04-10T03:22:00.314371Z",
	"deleted_at": null,
	"sha1_hash": "fe5eed45eb876622ea1b2c7c9fb5c2d9bcdce29c",
	"title": "FluBot Malware Persists: Most Prevalent In Germany and Spain",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 331736,
	"plain_text": "FluBot Malware Persists: Most Prevalent In Germany and Spain\r\nBy André Tavares\r\nPublished: 2022-02-04 · Archived: 2026-04-05 21:13:39 UTC\r\nBitsight has been collecting FluBot infection telemetry data since March 2021. In total, we have identified 1.3\r\nmillion IPs used by infected Android devices. Last month, it was mostly spread in Germany and Spain.\r\nAdditionally, we are tracking an increase in IPs over time, which likely indicates an increase in infected devices.\r\nFirst seen in early 2020, FluBot is a banking trojan used to steal banking, contact, SMS and other types of private\r\ndata. Its operators have discovered creative means of distributing the malware, evolving their social engineering\r\ntactics and delivery methods to fuel the continued growth and expansion of FluBot.\r\nFluBot gives threat actors full remote control of an infected device, including the ability to send, intercept, and\r\nhide SMS messages and notifications; exfiltrate user sensitive data, such as contacts, keystrokes, one-time\r\npasscodes, and personal information; and carry out overlay attacks.\r\nThe malware is commonly spread via SMS messages to the contacts on an infected device as well as contacts\r\ndownloaded from FluBot’s C2 server. FluBot typically appears as a message for package delivery. Below are some\r\nexamples:\r\nBitsight currently observes FluBot is mostly spread in Europe, specifically in Germany, Spain and Italy (74%), but\r\nalso in Australia (7%). This appears to track with recent reports that suggest Flubot operators specifically target\r\ndifferent regions or countries. However, it may also be a function of how FluBot spreads. It stands to reason that\r\nthe majority of a victim’s contacts are people in the same region or country. So, regional infection may not be\r\nintentional per se, but rather a consequence of the malware’s design.\r\nBelow is a chart showing daily FluBot infections by country that Bitsight has detected since March 2021,\r\nhighlighting the consistent impact to German and Spanish users.\r\nhttps://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain\r\nPage 1 of 5\n\nSince Bitsight began tracking FluBot, we have also seen an increase of impacted IPs. The number of IPs does not\r\ndirectly correspond to the number of infected devices, because a mobile device can share the same IPv4 address as\r\nother devices due to network address translation (NAT) and IPv4 exhaustion. However, a rise in IPs may be an\r\nindicator of rising device infections.\r\nThe following diagrams show our visibility into the geographical distribution of all FluBot versions in January\r\n2022.\r\nhttps://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain\r\nPage 2 of 5\n\nIn January, approximately 170,000 IPs (used by infected devices) contacted our sinkhole infrastructure. The\r\nmajority of those are infected with FluBot versions 4.8 and earlier. These versions communicate with its C2 server\r\nvia HTTPS. Since version 4.9, FluBot has communicated with its C2 server via DNS-Tunneling-over-HTTPS\r\n(DoH). Of the 170,000 IPs observed in January, approximately 30,000 were infected with FluBot 4.9 through 5.2\r\n(the current version at the time of this writing).\r\nFluBot uses a domain generation algorithm (DGA) to be able to communicate with its C2 server. On version 5.1,\r\nthere was an update on the DGA (python version on the IOCs section). Changes include a new additional seed that\r\nis downloaded from the C2 server to generate more domains.\r\nUsing these newer versions, an attacker sets a nameserver that will act as a C2 server, receiving and sending data\r\nthrough the DNS protocol; FluBot uses DoH providers such as Google and Cloudflare to infiltrate and exfiltrate\r\nthe data to the C2 server, allowing the infected device to communicate with its C2 server without knowing its IP\r\naddress.\r\nThe DNS provider routes the DNS request to the C2 server (nameserver), which returns a TXT DNS response as\r\nrequested by the bot. The request contains a symmetric key generated by the bot that is RSA encrypted, and the\r\nprivate key is on the C2 server side.\r\nNote: The drop reflected in August is due to temporary collection issues.\r\nWhile FluBot operators do not appear to be specifically targeting organizations as opposed to individuals, it is still\r\ncritical for security professionals to take appropriate steps to mitigate risk.\r\nSince FluBot is spread using social engineering, employee education is essential. Share examples of FluBot SMS\r\nmessages and malicious lure pages so employees know what to look for. Effective employee training can avert\r\nFluBot infection entirely.\r\nhttps://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain\r\nPage 3 of 5\n\nAnti-malware software should be considered essential to prevent, detect, and remove FluBot infections. FluBot\r\ncan be removed manually, however, manual removal may be time-consuming—especially if the infection is\r\nwidespread. Mobile device management (MDM) solutions that can restrict the ability to install apps may be\r\nappropriate for some organizations, as well.\r\nBitsight has identified a number of indicators of compromise (IOC), which are detailed below:\r\nFluBot samples (APKs)\r\ndf98a8b9f15f4c70505d7c8e0c74b12ea708c084fbbffd5c38424481ae37976f\r\n29d71a81bb8aa363d93adc9352e791720263935fb4c9cc0cfc20be0d1c6d3fdc\r\n8ef32886de7fb2fcfbde483044ef21a196ea5525df04e0f391ef491b62959de1\r\n5b404c066e702802b7475d2c2eecebd6fceb2490773f92d501d57b53de34213c\r\n4859ab9cd5efbe0d4f63799126110d744a42eff057fa22ff1bd11cb59b49608c\r\ndcb5e9c2f2c7c2a94b6419527361790132af20d60e681ca87c0c5257393cbac8\r\n4a49972ed962b5326b9edcb9edbfeef47d3a216cf5847d579eb0c69a3ed6b9be\r\nd1e40e321456c2a9e6d06c4e79961d388cd55050c055f47cdd9e0a2db571916b\r\naf83e659196774e779b22038e11c4b0a4665d082064fe997510634000fdb0222\r\na2d3292bb87f8d6b3ce4b45d9ae6d61b4b7398770f732b72c881f43b66a49461\r\nimport argparse\r\nfrom datetime import datetime\r\n# https://github.com/MostAwesomeDude/java-random/blob/master/javarandom.py\r\nfrom javarandom import Random\r\n \r\n \r\ndef get_seed(init, year, month):\r\n month = month - 1\r\n j = ((year ^ month) ^ 0)\r\n j2 = j * 2\r\n j3 = j2 * (year ^ j2)\r\n j4 = j3 * (month ^ j3)\r\n j5 = (j4 * j4) % 2 ** 64\r\n seed = j5 + init\r\n return seed\r\n \r\n \r\nif __name__ == '__main__':\r\n parser = argparse.ArgumentParser(description='FluBot DGA v3')\r\nhttps://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain\r\nPage 4 of 5\n\nparser.add_argument(\r\n '-s', '--seed', choices=[1949, 1945, 1813, 1136, 2931, 1642, 1905], type=int, required=True)\r\n parser.add_argument(\r\n '-y', '--year', help='default current year (YYYY)', type=int, required=False)\r\n parser.add_argument(\r\n '-m', '--month', help='default current month (MM)', type=int, required=False)\r\n \r\n # parse arguments\r\n args = parser.parse_args()\r\n seedinit = args.seed\r\n now = datetime.utcnow()\r\n if args.year:\r\n year = args.year\r\n else:\r\n year = now.year\r\n if args.month:\r\n month = args.month\r\n else:\r\n month = now.month\r\n \r\n r = Random(seed=get_seed(seedinit, year, month))\r\n tlds = ['ru', 'cn', 'com', 'org',\r\n 'pw', 'net', 'bar', 'host',\r\n 'online', 'space', 'site',\r\n 'xyz', 'website', 'shop',\r\n 'kz', 'md', 'tj', 'pw', 'gdn',\r\n 'am', 'com.ua', 'news', 'email',\r\n 'icu', 'biz', 'kim', 'work',\r\n 'top', 'info', 'br']\r\n \r\n for i in range(2500):\r\n domain = ''\r\n for _ in range(15):\r\n domain += chr(r.nextInt(25) + 97)\r\n domain = f'{domain}.{tlds[i % len(tlds)]}'\r\n print(domain)\r\nSource: https://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain\r\nhttps://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain"
	],
	"report_names": [
		"flubot-malware-persists-most-prevalent-germany-and-spain"
	],
	"threat_actors": [],
	"ts_created_at": 1775434870,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fe5eed45eb876622ea1b2c7c9fb5c2d9bcdce29c.pdf",
		"text": "https://archive.orkl.eu/fe5eed45eb876622ea1b2c7c9fb5c2d9bcdce29c.txt",
		"img": "https://archive.orkl.eu/fe5eed45eb876622ea1b2c7c9fb5c2d9bcdce29c.jpg"
	}
}